Apple plugs eight more QuickTime holes

Apple plugs eight more QuickTime holes

Summary: Apple today shipped its fifth QuickTime security update for 2007, patching at least eight vulnerabilities that could cause code execution attacks on Mac OS X, Windows XP and Windows Vista systems.

SHARE:

Apple plugs eight more QuickTime holesApple today shipped its fifth QuickTime security update for 2007, patching at least eight vulnerabilities that could cause code execution attacks on Mac OS X, Windows XP and Windows Vista systems.

The skinny, according to this Cupertino alert:

CVE-2007-2295 -- A memory corruption issue exists in QuickTime's handling of H.264 movies. By enticing a user to access a maliciously crafted H.264 movie, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).

CVE-2007-2392 -- A memory corruption issue exists in QuickTime's handling of movie files. By enticing a user to access a maliciously crafted movie file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).

CVE-2007-2296 -- An integer overflow vulnerability exists in QuickTime's handling of .m4v files. By enticing a user to access a maliciously crafted .m4v file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).

CVE-2007-2394 -- An integer overflow vulnerability exists in QuickTime's handling of SMIL files. By enticing a user to access a maliciously crafted SMIL file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2)

[ SEE: Safari on Windows could be big target for malware ]

CVE-2007-2397 -- A design issue exists in QuickTime for Java, which may allow security checks to be disabled. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).

CVE-2007-2393 -- A design issue exists in QuickTime for Java. This may allow Java applets to bypass security checks in order to read and write process memory. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).

[ SEE: Securing Safari: How to run Apple's Web browser securely ]

CVE-2007-2396 -- A design issue exists in QuickTime for Java. JDirect exposes interfaces that may allow loading arbitrary libraries and freeing arbitrary memory. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. (Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).

CVE-2007-2402 -- A design issue exists in QuickTime for Java, which may allow a malicious website to capture a client's screen content. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information. (Available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2).

Topics: Operating Systems, Apple, Hardware, Microsoft, Open Source, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

80 comments
Log in or register to join the discussion
  • Doesn't affect me, I steer clear of all Apple software

    So far, I've yet to be infected with any type of malware in the 12 years I've been running Windows. Hmm, we already know that [url=http://blog.washingtonpost.com/securityfix/2006/10/apple_ships_video_ipods_with_w.html] Apple deliberately infects their Windows software with viruses [/url] so I wonder if it is any coincidence that I'm Apple free [b]and[/b] malware free?

    Take it from me folks, don't use any Apple software and you will probably not get any Windows malware.

    Once again, I want to stress that these vulnerabilities do not affect me in any way imaginable. I don't run any Apple software, I will never run any Apple software, so I'm just writing to tell all of you that if you too avoid Apple software, you too will avoid any Windows malware.

    Thank you.

    </parody of all the Mac zealots who post "doesn't affect me" in every story about Microsoft vulnerabilities">
    NonZealot
    • Try steering clear of Microsoft and use Firefox on another OS .

      You wont have any problems . Software programmers make software for all kinds of OS's but Windows causes the most problems . WHY ?!?!?!?!?! Because Microsoft coding is shoddy . It's spaghetti code with swiss cheese on it .
      I'm Ye, the MS SHILL .
      • And you know it's spaghetti code how...

        it's because your a OS programmer? An applications programmer? a gamer programmer? If you had even one quarter of a brain you would know that M$, A$, L$, and their browsers have and had holes for years. When's the last time you checked on FF patches? Linux patches? Maybe you should actually read the blogs you reply to once in awhile? Get a clue! See below:

        PHOTO GALLERY

        Securing Firefox: How to avoid hacker attacks on Mozilla's browser
        Firefox users should be aware that hackers can exploit software flaws and design features to launch attacks.
        fredfarkwater@...
      • Did you read?

        You do realize this article is about a grip of flaws written by APPLE programmers, not MS programmers, don't you?

        Apple is at the some point of the security learning curve that MS was half a decade ago, luckily for them not the same spotlight on them, however.
        KTLA
      • He heard the term at a party and thought it was cool...

        Actually MS Developers have some pretty nice standards. Yes I'm a developer and I have two developer friends working in Redmond. And another at Apple...they are all pretty good developers.
        fr0thy2.
        • Sigh

          You don't recognize a religious argument when you see one, do you? Your "facts" and "real world experience" have no place here, go to AnandTech or somewhere to spew that crap. :-)
          KTLA
      • Prove it.

        Link to some Microsoft code that proves your point or just shut it.
        xuniL_z
    • re:"Hmm, we already know that Apple deliberately infects their Windows

      software with viruses ."

      That sounds pretty stupid NonZealot . Why would Apple hurt the customers that are making them (Apple) rich . If anything it was Windows software that infected the iPod , not Macintosh software . At least APPLE was quick to resolve that issue .

      This from the same story you pointed out NonZealot :

      "The iPod news comes just days after McDonald's Japan recalled MP3 players it gave away as prizes to customers after learning that the devices shipped with spyware designed to steal sensitive data that users entered at financial and e-commerce Web sites. Last year, multimedia giant Creative acknowledged that roughly 4,000 of the company's Zen Neon MP3 players shipped with a Windows computer worm embedded inside."

      So by your own admission no one should be buying into Creative Zen MP3 players either . There were only 25 instances with iPods being infected as opposed to 4,000 Creative Zen MP3 players .

      Now NonZealot why don't you go back to Microsoft and tell them to fix that old flaw from 2004 . You know the one that is causing headaches for Mozilla and Apple .

      Story here:

      Microsoft should block that IE-to-Firefox attack vector

      http://blogs.zdnet.com/security/?p=367

      I know it is not as bad as the .ani exploit , or the 10,000 Italian websites that were hacked into and passing out the MPACK kit issues , but hey , Microsoft has to start somewhere . So why not belittle the competition right NonZealot . You & Microsoft are losing and you can't take the losses . Do you own stock in Microsoft ? Do you work for Microsoft ? I'd like to know , because all you ever do over these boards is put down everyone that doesn't believe in what you say .
      The_Nutty_Zealot
      • You just proved his point

        Wow the Apple faithful get defensive and wound up quick don't they. You didn't read the part at the bottom? It was a parody of how Mac users constantly post that they are safe from malware, Apple's products are invulnerable..and on and on. <br>
        I'm sure you never made it that far in his post. You got bent after the first hint it was not a pro-Apple post and reading the rest became secondary to firing off your return. <br>
        Either that or you are NZ's straight man. Too funny.
        xuniL_z
    • It's truly sad...

      that someone can be so obsessed.

      Here we have a guy who is apparently so delusional that he calls himself
      "NonZealot," yet he trolls about ZDNet, just so he can post ignorant posts, like the
      real zealot he appears to be. He himself has stated that he hasn't used any Apple
      product since 2001. That's right: He has publicly stated that he's never used OS X,
      and, by extension, any Mac made in the last six years. And yet he still feels as if
      his comments have any value.

      Why would anyone act this way? Does he like making himself the laughing stock of
      all here who [b]truly[/b] have "no axe to grind?" I doubt that many here take his
      posts seriously, as they are truly devoid of information.

      I have noticed, however, that his posts tend to show up only on weekdays, and only
      before the evening. This leads me to believe that he is doing this on company
      time. Yep, it looks as though he's being paid to be a troll.

      How else can these posts be explained, other than true obsession? Given the
      number and mind numbing idiocy of his posts, I can't believe that anyone so
      delusional could really function in the real world. Therefore, I must presume, he's
      just a paid shill.

      He's best ignored.
      msalzberg
      • maybe

        nonzealot and george are one in the same???
        richvball44
      • Message has been deleted.

        frgough
        • re:A much simpler explanation

          "He's a 14-year old social reject who gets his sense of self-worth by people paying attention to him on these boards."


          Hey wait a minute now , that was a pretty good description of Loverock Davidson . Where is the ole chum ? Anyone seen L.D. lately ?
          The_Nutty_Zealot
          • LOOK EVERYONE!@#*&#@#! HE MENTIONS ME!!!

            People speak of me even when I haven't posted comments yet. You can't buy that kind of popularity.
            Loverock Davidson
          • For crying out loud

            You're never going to realize that people are NOT mentioning you in a good way are you?
            Shelendrea
          • You know the saying...

            ... there's no such thing as bad publicity.
            Badgered
    • One of your better ones

      Unfortunately some are going to take you seriously, but it's give the
      thread more hits.
      Ken_z
    • Are you paid by Apple?

      I actually start to think you are paid by Apple to make Anti-Mac zealots look like
      idiots.
      Non-Zealand
      • Good one....:)

        He's been exceptionally silly of late.....smells of desperation but what I don't
        understand is why or where such desperation comes from. Does he have a vested
        interest in this whole platform war?

        Pagan jim
        Laff
        • You didn't get it either.

          Well, that makes sense. You are far more emotionally attached than you could even realize. Only from the outside (reality) looking in, is it painfully obvious.
          xuniL_z